The General Data Protection Regulation (GDPR) affects any Arcadier administrator who is based in Europe or serve European merchants and consumers.
Arcadier provides marketplace administrators with the tools and features to be GDPR compliant, and where necessary, will not withhold informational requests from you for your end users. This being said, this does not constitute legal advice, and the GDPR is a complex regulation, and you should consult with a lawyer to figure out what you specifically need to do.
The GDPR imposes different obligations on controllers and processors of data. As a processor of data, Arcadier fulfills its own legal obligations under the GDPR. However, marketplace administrators (as controllers) also have their own separate obligations they must consider.
Below is a non-exhaustive checklist marketplace administrator might want to consider:
- The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data.
- Examples of personal data include:
- Name
- Address
- Email address
- Social media account
- Digital identifier such as an IP address or a cookie ID.
- Examples of personal data include:
- Privacy Policy
- The GDPR requires that you provide specific information to individuals whose data you are processing, generally, in the form of a privacy policy.
- Appointing a Data Protection Officer
- A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business is above a certain size in terms of data subjects, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.
- Customer consent
- Under the GDPR, you might need to obtain consent to process the personal data of your users or change how you currently obtain that consent.
- Where you need to obtain consent, the GDPR says that it must be:
- Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
- Specific: it must be tied to clearly explained use cases.
- Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
- Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).
- Children
- The GDPR includes specific parental-consent requirements for processing the personal data of users that are deemed too young (the age is 16 and below in the European Economic Area but could be different elsewhere).
- Data breach notification
- If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.
- In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals rights and freedoms.
- Third party apps
- The GDPR requires that you take a number of affirmative steps relating to you and your third-party service providers collection and use of personal data. This includes Arcadier, but also any third-party apps that you in connection to your Arcadier marketplace (e.g. PayPal, Stripe and Omise).
- International data transfers
- The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately protected.
- Arcadier protects personal data according to the requirements of the GDPR as it is transferred to and processed.
- It is important to ensure that other parties you transfer data to will transfer that data in a way that complies with the GDPR.
Arcadier will continually build features over the next few releases to enable marketplace administrators to support GDPR requests with increasing ease.